Auditing In

Auditing in enterprise systemenvironment: a synthesis

Alexandra Kanellou and Charalambos SpathisDivision of Business Administration, Department of Economics,

Aristotle University of Thessaloniki, Thessaloniki, Greece

Abstract

Purpose – The purpose of this article is to provide a selective and comprehensive literature reviewbased on previous research within auditing and enterprise systems (ES). This is done to identifyresearch gaps, propose directions for future research and guide researchers and practitioners on howto better synthesize these two areas. Interaction between ES and auditing is in need of more academicresearch and practical investigation, which may lead to the development of better solutions, guidelinesand frameworks.

Design/methodology/approach – A total of 31 academic studies from 2000 to 2010 were includedin this study. After reading these studies, different areas had been selected and were addressed in fivecategories: the future of audit in ES environment, modern audit tools and techniques, changes ofauditors’ role, differences in perceptions between financial auditors and IT auditors, ERP andcompliance with regulations.

Findings – ES implementation results in audit process reengineering and increases the need ofcontinuous monitoring of transactions. The presence of IT auditors becomes critical, while financialauditors are asked to enhance their skills in order to be able to conduct effective audit tests. Modern audittools and techniques must be used so that internal control processes will be appropriate for an ES.

Research limitations/implications – It is not an exhaustive list and some relevant publicationsmight have been overlooked. Much literature has been scanned by reading the title only. In order toconduct a comprehensive review the topical focus was kept relatively narrow on auditing and ES.

Practical implications – Researchers and practitioners must take into consideration the interactionbetween ES and auditing in order to advance research in this area. Companies must understand thechanges that occur in the audit procedure due to ES implementation, so that they will design efficientaudit tests and auditors must enhance their knowledge in order to be able to conduct these testseffectively.

Originality/value – This study uncovers and classifies current research within auditing and ES(focusing mostly on ERP systems).

Keywords ES, ERP, Internal-external auditing, Continuous auditing, IS (IT) auditors-financial auditors,IS (IT) Audit, Internal-external control, External auditing, Internal auditing

Paper type Literature review

1. IntroductionMany business changes have occurred throughout the history and a major one hasbeen related to Enterprise Systems (ES) and their primary form Enterprise ResourcePlanning Systems (ERPs). These systems have transformed the way business data iscollected, stored, disseminated and used (Sutton, 2006). Enterprise resource planningsystems are defined as “information system packages that integrate information and

The current issue and full text archive of this journal is available at

www.emeraldinsight.com/1741-0398.htm

The authors gratefully acknowledge the Editor and the reviewers’ constructive comments on anearlier version of the paper.

JEIM24,6

494

Received 19 November 2010Revised 3 December 201013 January 201113 January 2011Accepted 19 January 2011

Journal of Enterprise InformationManagementVol. 24 No. 6, 2011pp. 494-519q Emerald Group Publishing Limited1741-0398DOI 10.1108/17410391111166549

information-based processes within and across functional areas in an organization”(Kumar and Hillegersberg, 2000). An ERP system is an enterprise system that affectsmany all the departments of a company. Thus, understanding each department and itsconcerns is important (Gallegos, 2005). ERP system appears to be the system used bythe majority of large clients serviced by audit firms. Thus, ERP systems are thedominant system environment for auditors servicing public clients, although theclients of audit firms use a variety of systems to monitor accounting transactions(Brazel, 2005). Yen et al. (2006) and Coppers & Lybrand (2002) also mention thatauditing personnel must properly deal with the change caused by the ERP system.

The profession of auditing is a rich resource for enterprises because the auditactivity monitors the adequacy and effectiveness of management’s control frameworkand contributes to the integrity of corporate governance, risk evaluation, and financial,operating and IT systems (Burnaby and Hass, 2009).

The traditional audit model has undergone significant change during the lastdecade. The change in the financial audit’s focus is attributed to market pressures,including saturation, competitive pricing and increased training and technology(Eilifsen et al., 2001). Auditing has taken on risk management focus, and auditengagement teams increasingly include information system specialists also (Winogradet al., 2000). Although enterprise systems increase the complexity of accounting andauditing processes, they offer opportunities for improvements as far as these processesare concerned (Spathis, 2006).

Auditing can be classified into two types: internal auditing and external auditing.Internal auditing can be defined as a method independent and objective validation. Notonly it increases the value and improves the operation and performance of an organization,but also facilitates the effects of related processes to achieve an organization’s goals.Spathis and Constantinides (2004) also, found that the implementation of an ERP system isusually followed by an increase in internal audit procedures. This is because inadequateinternal controls in an ERP system environment may cause problems, such asunauthorized access to the system and computer fraud (Bae and Ashcroft, 2004). On theother hand, external auditing is conducted outside the organization. Organizations hire theservices of external auditors who are usually accountants.

It is important to note that in an enterprise system environment traditionalprocedures for obtaining audit evidence may not be appropriate or sufficient, asevidence comes mainly in an electronic form. Electronic audit evidence can be definedas any information created, transmitted, processed, maintained or accessedelectronically and used by the auditor to evaluate financial statement assertions andto support the content of the audit report (Rezaee and Reinstein, 1998).

Computer aided auditing is beneficial, but it also has some disadvantages. Besideschanging the operation and process of auditing, computer aided auditing involves thedistribution of various files in different locations, making auditing even more difficultand complicated especially for those who do not have sufficient knowledge of thetechnology. In addition, many ERP systems involve journal recording. This means thatthose not involved in the operation department may not be able to identify thepersonnel responsible for some data they may need. Another drawback may be thatpersonnel from IT department can also modify the data and information since theyhave access to the database. This could lead a company to economic losses, which maynot be identified right away (Chang et al., 2008). Auditors’ main concern has to do with

Auditing in ESenvironment

495

the security of financial data, because when data security processes are missing,integrity is threatened. Overall, the implementation of enterprise systems presents newchallenges, risks and opportunities to accounting professionals (Sutton, 2000).Furthermore, an ES raises serious concerns for auditing practitioners and has a majorimpact not only on financial auditors, but also on IT auditors (Munter, 2002).

Despite their acclaimed advantages, ERP systems pose potentially heightenedbusiness, security and audit risks primarily due to automated procedures amongbusiness process and integrated databases (Hunton et al., 2004). Statement on AuditingStandards (SAS) No 94 (AICPA, 2001) calls for auditors to understand the computerizedprocedures used to prepare an entity’s financial statements and related disclosures. Morespecifically, SAS No.94 requires auditors to consider how the client’s informationtechnology (IT) infrastructure affects the audit strategy, to design audit tests, todetermine the extent to which computerized internal controls are operating effectively,and to possess requisite skills to evaluate and test IT systems or obtain help fromspecialists who have such skills. ERP systems are complex audit environments andtherefore auditors need to expand their technological knowledge and skills in order toperform effective and efficient audits (POB, 2000). It seems that there is a need ofcomputer or IT auditors for auditing an enterprise system and evaluating the automatedcontrols built into the system. The presence of IT auditors is necessary when the auditprocess takes place in a dominant or significant IT environment.

At this point it is worthwhile to note that the most important implications that arisefor the audit function due to enterprise systems implementation are as follows: First,auditors need to handle electronic audit evidence effectively, second there is need ofmore internal controls for the enterprise system and the security of the electronic dataand third there is a need of IT audit professionals.

Few literature reviews have been written concerning auditing and informationsystems. The most recent is the one of Kuhn and Sutton (2010), which focusesparticularly on continuous auditing and ERP systems. Curtis et al. (2009) also,published a review focusing on auditors’ training and proficiency in relation toinformation systems and Madani (2009) analyzed the role of internal auditors inERP-based organizations. Thus, our study is the first literature review that focuses onauditing and enterprise systems as a whole.

The purpose of this study is to uncover, classify and interpret current researchwithin enterprise systems and auditing, and also to examine how and to which extentthe implementation of ES in organizations affects audit procedures. This will be doneto identify research gaps and directions for future research and to guide researchersand practitioners investigating and making decisions on how to better synthesize thesetwo areas. This study also tries to examine how and to which extent theimplementation of ES in the organizations affects auditors’ roles.

Our study is organized as follows: At first, we present the approach used for articleidentification and collection. Then, we analyze the bibliography and review. Finally,we draw some conclusions, we state some limitations and we propose directions forfuture research.

2. Survey search approachThe survey search approach can be divided into four essential phases: databases onlinesearch, first results, final results and classification of results, as displayed in Figure 1.

JEIM24,6

496

In phase 1, we selected articles through web search facilities (databases) offered bysome major publishers, such as “ProQuest”, “Scopus” and “Ebsco”.

The criteria for choosing articles for our study are as follows:. First of all, the article must have been published in a peer review, archival

journal.. Second, to avoid never ending search of articles, “December 2010” was selected

as the cut-off date.. Third, articles were searched by using specific keywords, such as “ERP systems,

ES, Internal-External Auditing, Continuous Auditing, IS (IT) Auditors-FinancialAuditors, Internal-External Control”. The reason why is that our purposeconcerning previous research was to summarize the effects that ES have on theaudit procedures, on the auditor’s (internal-external) role and on the future formof the audit function as a whole. The exceptions are those articles that are

Figure 1.Steps of survey search

approach


497

explicitly dealing with “ERP (or ES) and auditing” but for some reasons theauthors decided not to use the above keywords in the title and abstract.Consequently, it is possible that there exist more of such articles, which are notreviewed in the present study.

. Fourth, no restrictions were imposed in the field of the surveyed journal. Thisshould allow a comprehensive set of viewpoints on ERP and auditing bydifferent fields.

. Fifth, we included academic studies from 2000 to 2010. This was because from2000 until today there is a tremendous increase in the use of ES. Studies before2000 referred to IT or IS in general and not to ES or ERPs in particular.

According to these criteria, an attempt has been made to collect all the available journalarticles. Different combinations of the above keywords produced 160 articles. Also, wechecked the references of the articles and we clicked on the option “related articles” andthus, a further 72 studies were added to our first results. Thus, initial survey producedoriginally a sample of 232 articles (phase 2).

The review and classification process was carefully and independently verified bythe co-authors. After reading the articles, we eliminated those that had a loose relationwith ERP (or ES) and auditing. A total of 31 articles were eventually included in thefinal sample (phase 3). The complete list of the articles (year of publication, journal title,authors, paper type, research method and sample size) which were finally included inour study is provided in Table I.

Distribution of articles by journal title is displayed in Table II.In phase 4, we classified the final sample of articles as follows:

. using the articles’ abstracts, the one co-author defined large classes of subjects inorder to structure this large amount of literature;

. these classes of subjects were then verified and double checked by the otherco-author; and

. the authors classified these subjects into five main categories.

The different areas that have been selected are successively addressed in the followingsections of this study:

. the future of audit in an ES environment;

. modern audit tools and techniques;

. auditor’s role and expertise in an ES environment;

. financial auditors and IT auditors – differences in risk assessment, roles andperceptions; and

. ERP and compliance with regulations.

Indeed, many overlapping items can be found among these main categories and furthercategories emerged, but nevertheless this study tries to provide a consistent frameworkfor classifying the considered published articles.

JEIM24,6

498

Yea

rJo

urn

alti

tle

Au

thor

Pap

erty

pe

Res

earc

hm

eth

odS

amp

lesi

ze

2000

AustralianAccountingReview

Bes

tT

RA

nal

ysi

s–

2001

TheInternationalJournalof

Digital

AccountingResearch

Gra

bsk

iet

al.

ER

Cas

est

ud

y1

Org

aniz

atio

n

2002

Journalof

Inform

ation

Systems

Wri

gh

tan

dW

rig

ht

ER

Su

rvey

30In

form

atio

nsy

stem

aud

itor

s20

03Advancesin

Accounting

Ven

drz

yk

and

Bag

ran

off

ER

Fie

ldst

ud

y20

Sen

ior

man

ager

san

dp

artn

ers

2003

TheJournalof

Corporate

Accountingand

Finance

Gol

db

erg

and

God

win

TR

Lit

erat

ure

rev

iew

_

2003

Inform

ation

SystemsControlJournal

Cer

ull

oan

dC

eru

llo

ER

Cas

est

ud

y1

Fir

m20

04Inform

ation

SystemsControlJournal

Bae

and

Ash

crof

tT

RA

nal

ysi

s–

2004

Journalof

Inform

ation

Systems

Hu

nto

net

al.

ER

Su

rvey

83F

inan

cial

aud

itor

san

d82

ISau

dit

spec

iali

sts

2004

Journalof

EmergingTechnologiesin

Accounting

Vas

arh

ely

iet

al.

TR

An

aly

sis

Th

eory

_

2004

ManagerialAuditingJournal

Yan

gan

dG

uan

TR

An

aly

sis

_20

04InternationalJournalof

Auditing

Mes

sier

etal.

ER

Su

rvey

6P

ub

lic

acco

un

tin

gfi

rms

2004

BusinessProcess

ManagementJournal

Sp

ath

isan

dC

onst

and

inid

esE

RS

urv

ey26

Fir

ms

2005


Bra

zel

ER

Su

rvey

73A

ud

itse

nio

rs20

05Inform

ation

ManagementandCom

puter

Security

Bro

wn

and

Nas

uti

TR

Lit

erat

ure

rev

iew

anal

ysi

sV

iew

poi

nts

_

2005

Journalof

Inform

ation

Systems

Deb

rece

nyet

al.

TR

&E

RS

urv

ey6

ER

Pp

rov

ider

s20

06Journalof

EmergingTechnologiesin

Accounting

Ku

hn

and

Su

tton

ER

Cas

est

ud

y1

Fir

m

2006

InternationalJournalof

Accounting

Inform

ation

Systems

All

eset

al.

TR

&E

RC

ase

stu

dy

1F

irm

2007

Journalof

Enterprise

Inform

ation

Management

Mau

rizi

oet

al.

TR

Lit

erat

ure

rev

iew

Vie

wp

oin

tsA

nal

ysi

s

_

2007

Contemporary

AccountingResearch

Bra

zel

and

Ag

ogli

aT

R&

ER

Su

rvey

74P

ract

icin

gau

dit

ors

(continued

)

Table I.Research on auditing in

Enterprise Systemenvironment


499

Yea

rJo

urn

alti

tle

Au

thor

Pap

erty

pe

Res

earc

hm

eth

odS

amp

lesi

ze

2007

InternationalJournalof

Accounting

Inform

ation

Systems

Gra

bsk

ian

dL

eech

TR

&E

RS

urv

ey35

Inte

rnal

aud

itor

s&

33C

IOs

2008

Journalof

Inform

ation

Systems

All

eset

al.

TR

&E

RC

ase

stu

dy

2F

irm

s20

08Inform

ation

SystemsManagement

Ch

anget

al.

TR

&E

RC

ase

stu

dy

2F

irm

s20

08TheAccountingReview

Hu

nto

net

al.

ER

Ex

per

imen

t72

Man

ager

s20

08InternationalJournalof

Managementand

Enterprise

Development

Hu

anget

al.

ER

Su

rvey

77IT

,fi

nan

cial

acco

un

tin

g&

aud

itin

gex

ecu

tiv

es20

08Know

ledge-basedSystems

Lee

TR

&E

RC

ase

stu

dy

1F

irm

2009

Journalof

DigitalForensics,Security

and

Law

Bes

tet

al.

TR

&E

RA

nal

ysi

s-C

ase

stu

dy

1F

irm

2009

Journalof

AccountingandOrganizational

Change

Mad

ani

TR

Lit

erat

ure

rev

iew

Th

eory

_

2009


Bu

rnab

yan

dH

ass

TR

Lit

erat

ure

rev

iew

An

aly

sis

Th

eory

_

2009

Journalof

Enterprise

Inform

ation

Management

Ch

enE

RC

ase

stu

dy

1F

irm

2009

DecisionSupportSystems

Hu

anget

al.

TR

&E

RC

ase

stu

dy

1F

irm

2010

Journalof

Inform

ation

Systems

Ku

hn

and

Su

tton

TR

Lit

erat

ure

rev

iew

An

aly

sis

_

Note:

ER¼

Em

pir

ical

Res

earc

hin

org

aniz

atio

ns;

TR¼

Th

eore

tica

lR

esea

rch

(lit

erat

ure

rev

iew

s,v

iew

poi

nts

,an

aly

sis,

theo

ries

)

Table I.

JEIM24,6

500

3. Bibliography analysisIn the present study we focused on the auditing function as a whole and how it is beingtransformed due to ES implementation. In this section we analyze studies referred toeach one of the five categories mentioned in the previous section.

3.1 The future of audit in an ES environmentMany researchers have started discussing the transformation of the audit function dueto the introduction of ES. These systems present new challenges and risks and as aresult the mechanism of the audit-control and the audit-control procedures change.Internal audit seems to be an important factor as far as an ES implementation isconcerned. Although enterprise systems seem to increase the overall control risks,researchers claim that these systems have adequate and efficient control processes andsecurity tools into their applications (Wright and Wright, 2002; Hunton et al., 2004).Researchers claim that complexity of such systems and decentralized decision-makingprocesses can lead to many risks (Grabski et al., 2001). Bae and Ashcroft (2004) pointedout that although ERPs are complex systems due to their capabilities, they couldprovide companies with major data processing benefits.

ERPs are known for their extraordinary nature and numerous implementation risks.Control function must be well organized over the entire life cycle of an ES, includingimplementation. Literature shows that it costs 50 to 100 times more to add functionality orto correct an error in the post-implementation phase than it would have cost to provide theproper functionality during the implementation process (Goldberg and Godwin, 2003).

The first major topic that occurs in an ES or an ERP environment is thetransparency of the data and the information integrity. For example, personnel from

Journal title n %

Journal of Information Systems 5 16.2Managerial Auditing Journal 3 9.8Information Systems Control Journal 2 6.5International Journal of Accounting Information Systems 2 6.5Journal of Emerging Technologies in Accounting 2 6.5Journal of Enterprise Information Management 2 6.5Advances in Accounting 1 3.2Australian Accounting Review 1 3.2Business Process Management Journal 1 3.2Contemporary Accounting Research 1 3.2Decision Support Systems 1 3.2Information Management and Computer Security 1 3.2Information Systems Management 1 3.2International Journal of Auditing 1 3.2International Journal of Management and Enterprise Development 1 3.2Journal of Accounting and Organizational Change 1 3.2Journal of Digital Forensics, Security and Law 1 3.2Knowledge-based Systems 1 3.2The Accounting Review 1 3.2The International Journal of Digital Accounting Research 1 3.2The Journal of Corporate Accounting and Finance 1 3.2Total 31 100

Table II.Distribution of articles by

journal title


501

the IT department (or from other departments) can modify the figures since they haveaccess to the database (Bae and Ashcroft, 2004). This could lead a company toeconomic loss, which might not be identified immediately (Chang et al., 2008). Thereare recent studies that show that continuous auditing techniques and continuousmonitoring can help organizations and auditors detect fraudulent activities (Kuhn andSutton, 2006; Alles et al., 2006; Alles et al., 2008). Kuhn and Sutton (2006) tried toexamine the methods of fraud utilized by the management of a big telecommunicationscompany in the USA, in order to design a continuous assurance strategy which couldhave detected such fraudulent behavior earlier.

In order to secure audit results and the validity of the data, formal policies anddesigns for the auditing process are necessary, especially in computerizedenvironments. In 2006, Alles et al. presented a study in which they describe thelessons they have learned from an implementation of the monitoring and control layerfor continuous monitoring of business process controls (CMBPC) in the US internalaudit department of Siemens Corporation. Their main conclusion was thatstandardization of audit procedures and audit judgment is greatly underestimated.They pointed out that reengineering of audit processes is inevitable due to thenecessity to separate standard and non-standard parts of the program. They statedthat in order for modern audit techniques and processes to be effective in an ESenvironment, it is necessary that a high integration level of the system is reached.

The last decade there were a lot of accounting scandals, and therefore internalcontrol and auditing became the focus of attention. Huang et al. (2008) built an internalcontrol framework with five dimensions and 19 detailed factors and they used it in asurvey of Taiwanese public companies which had an ERP system. They found that thefive most important internal control factors were:

(1) establishment of IT organizations and their relations;

(2) integration of financial information;

(3) development of IT strategic plans;

(4) management of information quality; and

(5) monitoring of operating procedures.

From the literature it seems that there is a relation between organizationaldevelopment and ES implementation. An in-depth case study in a Taiwanese IC designhouse was conducted by Chen (2009). The study showed that to leverage the value ofthe enterprise resource planning system, the implementation should take intoconsideration the firm’s growth, the unique industrial characteristics, the influencesfrom the business group, and the alignment of the internal control and audit function,corporate governance and information technology governance.

There are also studies that compare computerized and non-computerized businessprocess environments, in terms of risks and errors that may occur due tocomputerization. It is mentioned generally that in computerized environments there aremore risks and this is also the reason why formal policies are necessary in suchenvironments (Alles et al., 2006). Messier et al. (2004) conducted a survey in the sixlargest public accounting firms in Norway. The purpose of their survey was toexamine if information technology (IT) affects the audit procedures used by auditors indetecting misstatements and if the causes of misstatements detected through audit

JEIM24,6

502

tests are different for computerized or non-computerized business processes. Theresults showed that (considering the effect of IT) tests of detail and attention directingprocedures were just as likely to identify the misstatements in both computerized andnon-computerized business processes. The authors mention that the primary reasonauditors did not rely on IT controls was their belief that substantive testing was moreefficient or effective. They found that there is an increase in the cause of misstatementsresulting from missing and poorly designed controls and audit tests. They also foundthat appropriate controls were judged to be missing more often in computerizedbusiness processes rather than in non-computerized business processes. Comparingtheir results with previous research they concluded that control problems increasedgenerally in the last decade, but these problems are more prevalent in computerizedbusiness processes. They mentioned that due to an increase in IT, there has been somedegradation in the control environment and increase in the workload of accountingstaff. They concluded stating that one consequence appears to be a shift in the auditprocedures to detect misstatements with the use of more tests of detail. Spathis andConstantinides (2004) also conducted a research in Greek companies that haveimplemented an ERP system trying to examine the impact that the system had on theenterprise procedures. They found that the implementation of an ERP system isusually followed by an increase in internal audit procedures. As a result the enterprisecan reach a higher level of integration in business processes and improved quality ofreports.

Yang and Guan (2004) stated that the introduction of data processing equipmenthas many impacts on the traditional manual accounting systems and that IT systemsrequire that the recording and processing procedures be concentrated in departmentsthat are separate from the origin of the data. They also mentioned that computerizationhas reduced significantly the time available for the review of transactions before theirentry into the accounting records. As a result, in poorly controlled systems theopportunity for uncovering errors before they have impact on operation has beenreduced, which highlights the increased importance of improved internal controlprocedures. Finally, they pointed out that computerization and automation couldpotentially eliminate the audit trails by which individual records can be traced to finalreports or to the original transaction.

Another important study concerning control procedures and the factors whichaffect them, was the one that was conducted by Grabski and Leech (2007). Theypointed out that ERP implementation projects are but another example of aninformation system development project that needs to be controlled, and that theimplementation of an ERP system is significantly different than a traditional systemimplementation. They focused on the fact that – as previous research showed – singlemodes of control are not sufficient, and that a portfolio of control modes is needed andshould be utilized. This was explained through the theory of complimentarity. ChiefInformation Officers (CIOs) and Internal Auditors were selected to be the participantsin this study. A questionnaire was created and distributed to them. The questionnairewas specifically expanded and significantly modified to include the controls identifiedas important in the literature and it also included questions specific to internal auditactivities during the implementation phase. One of the main findings of this study wasthat groups of complementary controls need to be employed in the implementation ofERP systems in order to achieve successful implementation.


503

In addition, for companies that have implemented an ES it is very important todesign formal policies-procedures, appropriate for auditing sufficiently and effectivelysuch company environments. At this point, we should mention that the successive useof a system and the output quality of the system depends on the efficiency of theinternal audit system and the internal audit processes (Lee, 2008). Wright and Wright(2002) conducted a semi-structured interview study with 30 experienced informationsystems auditors who specialized in assessing risks for ERP systems. The participantsindicated that in order to provide assurance on ERP systems, a focus on testing theprocesses rather than system output is of great importance.

Control procedures are very important in order for data distribution and process tobe reliable and for audit procedures to be successful. The latter is due to the fact that incomputerized environments, many errors may go unidentified, unless efficient internalcontrols are present. Formal and accurate audit policies are necessary after an ESimplementation. Continuous auditing and monitoring of automated businesstransactions by the internal audit function is growing, as businesses try to improveinternal control (Spathis and Constantinides, 2004; Hunton et al., 2008). Main objectivesconcerning the future of auditing in an ES environment are presented in Table III.

3.2 Modern audit tools and techniquesResearchers have discussed the different techniques that auditors can use in order totest the efficiency and the effectiveness of internal control procedures. Best (2000)mentioned that one of ERP’s advantages (specifically SAP’s) are the strong featuresthat may be set up to control access to transactions and data. Auditors usecomputer-assisted audit techniques and tools (CAATTs) to help them in auditing anenterprise system. It is of great importance that the internal auditors assure that theenterprise system, which a company implements, is well controlled and secure. Moderntools are needed, so that all control tests will be performed effectively. The currentdefinition of internal auditing adopted by the Institute of Internal Auditors Board ofDirectors in June 1999 expanded the scope of internal auditing to include consultingactivities and value-added services for evaluation and improvement of theeffectiveness of risk management and governance processes and internal controlprocedures. This requires internal auditors to continuously develop new skills andlearn how to use new audit tools and modern technologies (Burnaby and Hass, 2009).

Main objectives Authors

Transparency of data and information integrityseem to be threatened

Bae and Ashcroft (2004); Chang et al. (2008)

There is an increase of misstatements when thereare no efficient control procedures

Messier et al. (2004)

There is a great need of increased and improvedcontrol processes (reengineering of auditfunction)

Yang and Guan (2004); Spathis andConstantinides (2004); Grabski and Leech (2007)

Continuous monitoring of automated businesstransactions seems to be the future of auditing

Alles et al. (2006); Kuhn and Sutton (2006); Alleset al. (2008)

Table III.The future of auditing inan ES environment

JEIM24,6

504

It seems that auditors tend to apply continuous auditing techniques when accountinginformation is reported and stored in an electronic form. Continuous auditing tools tendto support both internal and external auditing processes. Enterprise systems offerfunctionalities for continuous monitoring of controls and detection of fraudulentactivities (Best et al., 2009). There are different methodologies for approaching auditingin ES environments, such as the Embedded Audit Module (EAM) which is softwarebuilt into an information system, or the Monitoring Control Layer (MCL), which isseparate software that operates independently and is linked into the informationsystem (Kuhn and Sutton, 2006). The EAM approach – its benefits, disadvantages,technologies and processes – have been analyzed by the researchers for many years(Debreceny et al., 2005; Alles et al., 2006; Huang et al., 2009).

The CAATTs can be classified into tools for substantive tests and tools for controltests. Huang et al. (2009) aimed to develop the Business Process Gap DetectingMechanism (BPGAP-Detecting Mechanism), in order to detect the business processgap IS processes and internal control flows. In their conclusions they state that “thereare various computer-assisted audit technologies and tools that can assist the auditorin acquiring knowledge of IS. However, most of them can only perform substantivetests. To construct a general system to perform the entire control test for IS is ratherdifficult since various IS have different data structures and IS process flows”.

The embedded audit module (EAM) can be characterized as a substantive test tooland the BPGAP-Detecting Mechanism as a control test tool. Huang et al. (2009) mentionthat the disadvantage of the EAM is that it must be tightly coupled with the ES, inorder to be effective and therefore it is difficult to construct a general EAM that can becustomized to diverse ES. On the other hand the BPGAP-Detecting Mechanism is moreflexible because it is separate from enterprise systems. This mechanism relies only onread-only access and the extraction of controls data from enterprise systems. So theyconclude that this mechanism ensures that controls data extracted byBPGAP-Detecting Mechanism cannot be manipulated by the firm personnel, beforeor after extraction. Finally, they support that this mechanism improves both auditquality and software quality.

EAMs seem to be useful for ES as an added tool, which helps a company improve itsaudit process. The potential of exploiting the perceived benefits of EAMs in an ERPenvironment was examined by Debreceny et al. (2005). Their research was designed toassess the level and nature of support for EAMs by ERP providers. A set of ten modelEAM scenarios were developed within a fraud prevention and detection environment.The scenarios were exposed to six ERP solution providers. The research revealed thatsupport for EAMs within the selected ERP systems was highly limited and partial. Italso showed that technical expertise was necessary to create EAMs of each ES systemthat was investigated.

The implementation of ES leads to automated and integrated re-engineeredprocesses and as a result redundancies and inefficiencies are eliminated. Continuousassurance systems are built upon an organization’s underlying IT systems, providinginformation access throughout an organization. This integration results in significantchanges concerning the auditing function (objectives, process, timing, tools andoutcomes) (Vasarhelyi et al., 2004). Alternative continuous auditing systemarchitecture to the EAM architecture is the MCL (Monitoring and Control Layer)which is appropriate to cater to different circumstances (Kuhn and Sutton, 2010). The


505

MCL approach has also been analyzed by researchers (Vasarhelyi et al., 2004; Alleset al., 2006; Kuhn and Sutton, 2006). The basic elements of the MCL architecture are:data capture layer, data filtering layer, relational storage, measurement standardslayer, inference engine, analytic layer, alarms and alerting layer and the reportingplatform (Vasarhelyi et al., 2004).

Researchers have also discussed audit trails in the literature. Changes inconfiguration, security and master records, and financial transactions are edited withdate/timestamps, user identification and workstation identification which are collectedin various audit trails. In general audit trails can be defined as “records of useractivity” (Best et al., 2009). Audit trails are part of enterprise systems and often theyhave their own reporting facilities. As far as continuous auditing is concerned, they canbe used for monitoring user activity and thus, they can de either part of EAM or MCLapproaches. Best et al. (2009) highlighted the potential vulnerability to vendor fraudthat may occur from inefficient segregation of duties and the need of for automatedcontinuous fraud detection solutions. In their study they demonstrated how an ERPsystem (mySAP) could be used for audit trail analysis in detecting financial frauds.

In ES environments substantive tests and control tests should complement eachother with the support of the appropriate CAATTs. Continuous auditing and its toolsseem to be the future of auditing in such complex environments. Main objectivesrelated to CAATTs are displayed in Table IV.

3.3 Auditor’s role and expertise in an ES environmentES are new and complicated audit environments and therefore internal auditors need toimprove their technological knowledge and skills in order to perform effective andefficient audits (POB, 2000). Specifically the POB (2000, p. 171) states:

Increasingly, auditors will find it necessary to understand fully the risks associated with newand advanced business information systems, and the controls that are needed to respond tothose risks. Auditors also will find that they must expand their technological knowledge andskills, devise more affective audit approaches by taking advantage of technology, and designdifferent types of audit tests to respond to new business processes. Highly skilled technologyspecialists will become even more essential members of audit engagement teams.

In this section we analyze the skills and the experience that an auditor must have, to beable to conduct successful audits in an ERP or an ES environment. Bae and Ashcroft


New audit tools and modern techniques arenecessary

Vasarhelyi et al. (2004); Burnaby and Hass(2009)

Continuous auditing techniques increase Best et al. (2009); Kuhn and Sutton (2010)

EAM and MCL are basic methodologies forapproaching auditing in ES environments

Kuhn and Sutton (2006)

Auditors must be able and know how to use thesetools, techniques and methodologies

Burnaby and Hass (2009)

In ES environments substantive tests and controltests should complement each other

Huang et al. (2009)Table IV.Modern audit tools andtechniques (CAATTs)

JEIM24,6

506

(2004) published a study focusing on accounting and auditing implications related toERP systems implementation. More specifically, they discussed informationtechnology implications based on the SAP system. They mentioned that ifaccountants and auditors learn to work with ERP software, then they would be ableto assist companies in improving the management of their operations. For example,when older practices of internal control are no longer appropriate, the auditor canassist a company in designing new advanced controls and tests to achieve efficientaudits in an ERP system environment.

Many researchers support that the experience that an auditor has in auditing ES, ismore important and essential than the experience in auditing in general, when the auditprocess takes place in an organization which has implemented such a system. This wassupported by Brazel (2005) whose purpose was to develop, assess and provide uses fora measure of perceived ERP systems expertise. He was motivated from the “Theory ofPlanned Behavior” (Ajzen, 1991), which suggests that auditors who perceive that theyhave higher levels of ERP systems expertise should perceive that they have morebehavioral control in ERP settings. Behavioral control refers to the perception of theease or difficulty of performing the behavior of interest, for example auditing in anERP environment. He supported that perceived auditor ERP systems expertise may bean important determinant of auditor behavior and audit quality in ERP environments.He developed a multiple-item scale which included measures of auditors’ perceptions oftheir experience levels with auditing ERPs, their time spent auditing ERPs and howearly in their careers they began auditing such systems. The multiple-item scaledeveloped in this study was assessed for reliability and construct validity with 73practicing audit seniors from four international and two national public accountingfirms. Participants had an average of 3.68 years of audit experience (AUDEXP). Brazel(2005) supports that the measure can be used to capture perceived auditor ERPsystems expertise as part of an experimental study interested in determining its effectsupon auditor performance, audit quality, audit perceptions etc. Furthermore, hementions that it may be preferable to assign a less experienced auditor with ERPsystems background to an ERP systems audit environment than a more experiencedsenior auditor who may lack this area of expertise. The measure has the propensity todichotomize auditors into distinct groups perceiving either low or high ERP systemsexpertise for experimental research and also to provide significant variation inparticipant responses for use in survey studies. Interestingly, the results of Brazel’sstudy suggest that auditor perceptions of ERP systems expertise are not significantlyrelated to general AUDEXP. Therefore, he suggested that it might not be prudent toassume that auditor perceptions of ERP systems expertise automatically increasetogether with the longevity of their audit careers. The results of Brazel (2005) aresimilar with those of another study which showed that for auditors in an ERPenvironment, it is more important that they know how to use the information providedby the system than have increased audit experience (Chang et al., 2008).

Moreover, Brazel and Agoglia (2007) pointed out that in complex AccountingInformation System (AIS) environments, both auditors’ AIS expertise and theirevaluations of CAS (computer-assistance specialist) evidence play a significant role indetermining audit quality. They stated that although complex AIS (such as ERPs) andCAS have become basic factors for audit engagements, little prior research hasexamined how they affect auditor judgments. There are few studies which contributed


507

to the literature by examining the moderating effect of auditor AIS expertise on controlrisk assessment and the nature, staffing, timing, extent and effectiveness of plannedsubstantive testing. AIS expertise plays an important role in complex AISenvironments and appears to be more important when CAS competence deficienciesare present (Brazel and Agoglia, 2007).

Enterprise systems present new challenges to the internal audit function.Researchers claim that there are new relationships that an ES requires to existbetween the internal auditors and five associated groups:

(1) software vendors;

(2) information systems;

(3) IT managers;

(4) ES users; and

(5) consultants.

ES gives internal auditors an enabling technology to advise management on theimplications of ES for risk-intelligence and this leads to a hybrid position of an internalauditor within an organization (Madani, 2009).

At this point, we should mention that AIS expertise plays an important role incomplex AIS environments, in order to achieve successful auditing. As Brazel (2005)states “it may be preferable to assign a less experienced auditor with an ERP systemsbackground in an ERP systems audit environment than a more senior auditor whomay lack this domain of experience”.

We can conclude that the information provided by an ES during auditing plays animportant role. Auditors must know how to comprehend with information systems andmust be able to detect errors and fraud in such environments. Overall, the literatureindicates that financial auditors need a higher level of technology skills to be able todeal with enterprise systems and to supervise computer auditors to ensure theaccuracy of their work. In Table V we present main objectives concerning auditor’s roleand expertise in an ES environment.

3.4 Financial auditors and IT auditors – differences in risk assessment, roles andperceptionsIn enterprise system environments financial auditors need the assistance of ITauditors. IT auditors audit the enterprise system environment and submit a report tothe financial auditors presenting their findings about the system. This report stateswhether the system is reliable (if there are weaknesses in the internal controls andexplain their impact on the financial statements) and whether the financial auditors can


Auditors must enhance their knowledge and skills in order toperform efficient audits in ES or ERP environments

Bae and Ashcroft (2004)

Auditors take on consulting activities Madani (2009)

Experience in auditing IS in general or ES in particular seems tobe critical

Brazel (2005); Chang et al. (2008)

Table V.Auditor’s role andexpertise in ESenvironment

JEIM24,6

508

depend on the output of the system. IT auditors can improve the effectiveness and theefficiency of the financial statement audits. Financial and IT auditors should cooperateand work together as one team (Vendrzyk and Bagranoff, 2003). In the literature therehas begun a discussion about the differences in perceptions between financial auditorsand IT auditors, concerning the auditing process in an ES environment.

Vendrzyk and Bagranoff (2003) described and contrasted IS and financial auditor’sperceptions of the current and future role of IS auditing within the five largestaccounting/professional services organizations in the USA. The primary objective ofthis study was to examine whether there are differences between IS and financialauditors’ perceptions of the growing role of IS auditing. They investigated theperceptions among auditors about the evolution of the IS audit function, by focusing onthe two major roles of the IS audit practice:

(1) its relationship to the financial audit; and

(2) the expected growth in the IS audit practice itself.

They concentrated on the largest accounting/professional services firms to betterexamine state-of-the-art auditing/assurance practices. In general they found that IS andfinancial auditors have different perceptions about the current and future relationshipbetween IS and financial audit and differ in their opinions concerning clients’expectations for future audit services. More specifically, the results showed thatfinancial auditors are more likely to indicate that the financial audit will continue todominate the IS audit. IS auditors see a growing IS dominance over the financial audit.The researchers claimed that although financial auditors perceive the audit of generalcontrols to be more important than IS auditors do, both groups believe that IS audit’sfocus on control evaluation includes a mix of general application controls with agrowing focus on risk assessment. In evaluating the expected growth of the IS auditpractice itself, financial auditors are more likely to interpret audit services and the needfor services provided in terms of the financial audit, while IS auditors are more likely totake a broader view.

Finally, the researchers stated that as firms struggle with the significant changesoccurring in their environment due to IS, understanding differences in the perspectiveof these two groups is critically important to accounting researchers, practitioners andeducators. They supported that more research is needed to understand thesedifferences and determine which is the best way to overcome them, so that financialand IS auditors would work together in order to improve audit practice.

The purpose of another study (Hunton et al., 2004) was to examine the extent towhich financial auditors recognize differences in the nature and extent of uniquebusiness and audit risks associated with ERP systems, as compared to traditionalcomputerized (non-ERP) systems. They also investigated financial auditors’ level ofconfidence in assessing such risks and their propensity to seek consultation with ISaudit specialists in their firm. A total of 83 financial auditors and 82 IS audit specialistsparticipated in an experiment in which “system type” was manipulated as either ERPor non-ERP. All participants were CPAs. The results showed that financial auditorswere significantly less concerned than IS audit specialists with the followingheightened risks of the ERP environment in the experimental case: businessinterruption, network security, database security, application security, processinterdependency and overall control risk. Additionally, financial auditors did not


509

recognize the heightened risks of a seeded control weakness. Financial auditors werealso highly confident in their ability to evaluate risks in both ERP and non-ERPenvironment; however IS audit specialists were less confident in financial auditors’abilities to recognize and assess risks related to ERP systems.

Nevertheless, another study showed that auditors seem to be more sensitive to thecompetence of CAS and assess control risk higher when provided with positive controltesting from a CAS with low (versus high) competence. Also, in the AIS setting withincreased risk, auditors with higher AIS expertise tend to assess control risk as higherthan those with lower AIS expertise (Brazel and Agoglia, 2007).

Expectations of both groups (IS auditors and financial auditors) concerning theimpact of IS audit findings on the scope of financial audit are difficult to assess.Research shows that computer audit specialists can recognize and assess much betteraudit risks in an ERP environment than financial auditors can. In addition, financialauditors are confident that they can assess risks in both ERP and non-ERPenvironment. However IS audit specialists are less confident in financial auditors’abilities to recognize risks related to ERP systems. Finally, in the literature it ismentioned that auditors are not capable of recognizing heightened inherent and controlrisks and that auditors with higher perceived ERP systems expertise are better able toplan substantive procedures to deal with ERP system related risks.

Overall, we can conclude that auditors, who possess higher AIS expertise, tend toassess control risk higher, compared to auditors with less AIS experience. This showsthat financial auditors lack in recognizing the control risk importance in complex AISenvironments and that they may be overconfident about their assessment results ortheir capabilities. Table VI displays main objectives concerning the category analyzedin this section.

3.5 ERP and compliance with regulationsIn this section we analyze ERPs and their compliance with the Sarbanes-Oxley (Sarboxor SOX). The Sarbanes-Oxley Act (SOA) includes 11 sections, ranging from additionalcorporate board responsibilities to criminal penalties and required the Securities andExchange Commission (SEC) to implement rulings on requirements to comply with thenew law. The Act started as a reaction to a number of significant corporate andaccounting scandals associated with big organizations (WorldCom Company was oneof them).

Statement on Auditing Standards (SAS) No. 94 and American Institute of CertifiedPublic Accountants (AICPA, 2001) calls for auditors to understand the computerizedprocedures used to prepare an entity’s financial statements and related disclosures.


Financial auditors need the assistance of IT auditors andthey are asked to cooperate with them effectively and workwith them together as one team

Vendrzyk and Bagranoff (2003);Hunton et al. (2004)

Financial auditors and IT auditors tend to assess risksassociated with ES in a different way

Vendrzyk and Bagranoff (2003);Hunton et al. (2004); Brazel andAgoglia (2007)

Table VI.Financial auditors and ITauditors

JEIM24,6

510

More specifically, SAS No.94 requires auditors to consider how the client’s informationtechnology (IT) infrastructure affects the audit strategy, to design audit tests, todetermine the extent to which computerized internal controls are operating effectively,and to possess requisite skills to evaluate and test IT systems or obtain help fromspecialists who have such skills. Cerullo and Cerullo (2003) classifiedcomputer-assisted audit techniques in three main categories:

(1) auditing around the computer;

(2) auditing with the computer; and

(3) auditing through the computer.

They stated that SAS No. 94 provides explicit guidance when a significant amount offinancial information supporting one or more financial statement assertions isautomated by complex electronic IT. They continued mentioning that under thesecircumstances, the auditor must assess control risk by performing audit tests and testsof controls, regardless of firm size. Auditing through the computer techniques, such asdata, parallel simulation or embedded audit module, should be used to test controlswhen a firm has complex IT systems. The test data technique is appropriate forauditors with little IT experience (Cerullo and Cerullo, 2003). With the introduction andimplementation of the Sarbanes-Oxley Act (SOA), enterprise systems are seen as anopportunity for corporations in order to achieve SOA compliance (Maurizio et al., 2007).

The evolution of technology and the use of computers in business practice result inmore information technology (IT) auditing and internal control standards and guidelinesto assist auditors in their roles and responsibilities (Spathis and Constantinides, 2004).There are publications that focus on the discussion of the IT audit standards issued bythe AICPA (American Institute of Certified Public Accountants) and ISACA (TheInternational Federation of Accountants and the Information Systems Audit and ControlAssociation) and their significance for the auditing profession. Auditors shouldunderstand clearly these pronouncements, standards and guidelines when performingan IT audit and it is certain that in the future we will see more announcements in thisarea. Specifically, Yang and Guan (2004) focus on the discussion of the IT auditstandards issued by the AICPA and the ISACA. They state:

As the use of computers in business data processing gets more widespread and theintegration of IT in business processes gets more intricate, we expect to see morepronouncements of IT audit standards in the future. Auditors should well understand thesepronouncements, standards and guidelines when performing an IT audit.

Additionally, Brown and Nasuti (2005) conducted a study-report in order to providebackground information for senior and middle management in IT organizations whomay be in the implementation phase of compliance for Sarbanes-Oxley (SOX), andmoreover to accountants, internal auditors and academics who wish to evaluate theimpact of SOX on the IT organization. They concluded that competencies in severalrelated core disciplines, including project management, change management andsoftware integration should be the first priority for SOX implementation. Moreover, theysupported that enterprise architecting and related areas such as security and outsourcingcan be managed more adequately and effectively with the appropriate competencies.

Maurizio et al. (2007) published a study which reviewed factors and methods used tointegrate multiple ERP systems to comply with the Sarbanes-Oxley Act (SOA) in an


511

Enterprise Application Integration Environment (EAI) focusing on the SAP businesswarehouse application. They examined earlier research, surveys, actual processes anddocumentation defined in the SAP system, as well as information gathered bydevelopers, auditors and compliance experts.

Today, with the introduction and implementation of the SOA, enterprise systemsare seen as an opportunity for corporations to be able to achieve SOA compliance.Based on their research, Maurizio et al. (2007) suggested that to comply with the SOA itis advisable to look at the area of EAI for assistance. They explained that compliancewith SOA is not an easy task and needs the use of an EAI concept to become possible.The reason why is that the challenge of configuring a landscape to comply with theSOA without EAI means that most of the links would be interfaces which is theopposite of integration. They stated that the Business Warehouse systems (BW) havebeen available for over five years and the progress to offer additional functionality toaddress SOA requirements is an ongoing activity. In their opinion, landscapes need tobe simplified from multiple systems environments to as few servers as possible. Theyalso found that the authorization functionality in the Online Application Process(OLAP) environment is not as enhanced as it is in an Online Transactional Processor(OLTP) system, and this is due to the differences in the two systems’ approaches todata. Data in an OLTP system is used for daily postings and processing, while data inan OLAP system is used mainly for reporting and viewing. The introduction of SOAchanged that area and they supported that additional authorization processes need tobe applied to reflect that change. The ability to post from BW to R/3 has made the useof authorizations in BW a must. They mentioned that there are many applicationsbased items that have been affected by SOA, such as risk management, balancedscorecard, business planning, management of internal controls, BW basedconsolidations, core SAP, etc. and that these applications are much more mature andconsistent with the needs of the organizations and auditing requirements.

Chang et al. (2008) published a study that aimed to achieve three purposes: The firstwas to explore the crucial control items of the purchasing and expenditure cycle inmeeting the conditions of SOA 404. The second was to develop a computer auditingsystem based on the recognized control items and requirements of SOA 404 and the thirdwas to validate the applicability of the system using an ISO/IEC 9126 model in meetingorganizational needs. The development of the computer auditing system in this studyshowed eight proposed activity constructs and 34 control items in the purchasing andexpenditure cycle, which are necessary for system development. The researchersestablished then this system on two chosen public firms to validate the applicability ofthe system. The interview results agreed on the usefulness of the system to facilitatetheir company’s internal control procedures. It was found that the system could providemanagement and external auditors with the ability to identify incorrect financialstatements and fraud. The computer auditing system complied with SOA 404.Furthermore, it improved the correctness of the auditing activities, and thus increasedthe reliability of the company’s investment and management environment.

Continuous auditing tools are becoming basic factors of overall corporategovernance and compliance with regulations. Continuous auditing applications arebeing used to support GRC (Governance, Risk Management and Compliance) activitiesacross business processes, departments and information technology platforms (Kuhnand Sutton, 2010). Overall, auditing function supports ERP systems and thus it helps

JEIM24,6

512

businesses to comply with regulations. The main objectives concerning ERPs andcompliance with regulations are provided in Table VII.

4. DiscussionSince the use of computers in data processing and the implementation of enterprisesystems have become so widespread, the auditing process is being transformed andauditors are asked to conduct efficient audits in ES environments. It is well known thatinformation systems have a great impact on information management and businessprocess redesign (BPR). When implementing information systems, enterprisesre-engineer their business processes in order to obtain a competitive advantage. Andas long as ES have impact in almost all business processes, they have impact on theauditing process as well. From our literature review it is obvious that ES significantlychange the auditing procedure and the internal control of an organization.Standardization of auditing policies-procedures seems to be of great significance(Alles et al., 2006). However, most of the companies don’t have formal policies forauditing ES environments and this might cause problems within an organization.Researchers claim that companies that implement an ES must also design andimplement formal and accurate control procedures which will be of assistance inauditing such a system.

There are studies that focused on the risks and challenges that occur for the auditfunction due to information systems implementation. In ES environments several risksoccur and a major one is the risk related with fraud (Best et al., 2009). Controlprocedures are very important in order for data distribution and process to be reliableand for audit procedures to be successful. The latter is due to the fact that incomputerized environments, many errors may become unidentified, unless efficientinternal controls are present.

Once these risks and challenges occur, auditors are asked to deal with themeffectively. It seems that auditors must use modern audit tools and techniques in orderto ensure the transparency of data and timely detection of fraud. Continuous auditingand its tools (EAM and MCL) help businesses prevent and detect fraud more effectivelyand in an early stage (Kuhn and Sutton, 2006; Alles et al., 2006; Alles et al., 2008). Thus,continuous monitoring of business transactions seems to be the future of auditing.Furthermore, researchers argue that in order to provide assurance on ERP systems, a


Technology results in more IT auditing and control standards andguidelines

Spathis andConstantinides (2004)

Auditors should understand well these guidelines when performing ITaudits

Yang and Guan (2004)

SOA has affected several applications, such as risk management andmanagement of internal control

Maurizio (2007)

CAATs are becoming basic factors of corporate governance andcompliance with regulations

Kuhn and Sutton (2010)

ES are seen as an opportunity for corporations to achieve SOA compliance Maurizio et al. (2007)

Table VII.ERP and compliance with

regulations


513

focus on testing the processes rather than system output is of great importance (Wrightand Wright, 2002). Also, it seems that audit tools which support substantive tests andcontrol tests should complement each other, in order for auditors to perform effectiveaudits in computerized environments. Substantive tests can detect errors of the dataand control tests help us know what causes these errors (Huang et al., 2009).

As mentioned already before, ES implementation changes not only the auditprocess, but also the auditors’ role. Auditors are asked to enhance their knowledge asfar as the information systems are concerned, in order to be able to complete successfulIS environment controls and audit tests. Previous studies support that it is moreimportant for auditing in an ES environment, that the auditors know how to use theinformation provided by the system, and less important the general audit experiencethat they have (POB, 2000; Brazel, 2005; Chang et al., 2008). The information providedby an ERP system during auditing plays an important role and this is the reason whythe presence of an ERP-experienced auditor is significant.

In the bibliography analysis section, we also reviewed studies which were dealingexplicitly with the relation and differences between IS auditors and financial auditors.It seems that expectations of both IS auditors and financial auditors concerning theimpact of IS audit findings on the scope of financial audit are difficult to evaluate.Computer audit specialists can recognize and assess much better audit risks in an ESenvironment than financial auditors can. In addition, financial auditors are confident inthat they can assess risks in both ES and non-ES environment successfully. However,IS audit specialists are less confident in financial auditors’ abilities to evaluate or evenrecognize risks related to ES. Finally, in the literature it is mentioned that auditors arenot capable of recognizing heightened inherent and control risks and that auditors withhigher perceived ES expertise are better able to plan substantive procedures to auditsuch systems environments (Vendrzyk and Bagranoff, 2003; Hunton et al., 2004; Brazel,2005; Brazel and Agoglia, 2007). We also point out that IS auditors and financialauditors should cooperate and work together as one team. Further research is needed toexamine the differences in perceptions and the conflicts between financial auditors andIS auditors (Vendrzyk and Bagranoff, 2003; Hunton et al., 2004). Researchers also claimthat auditors that possess higher AIS expertise, tend to evaluate control risk higher,compared to auditors with less AIS experience. This shows that financial auditors lackin recognizing the control risk importance in complex AIS environments and that theymay be overconfident about their assessment results or their additional capabilities(Hunton et al., 2004; Brazel and Agoglia, 2007).

Finally, researchers point out that the use of technology, computers and complexsoftware packages in business practice results in more information technologyauditing and internal control standards and guidelines to assist auditors in their rolesand responsibilities (Yang and Guan, 2004). Overall, these standards and guidelinesseem to improve the control function (internal – external) and we will see moreadditional announcements concerning ES and compliance with regulations in thefuture (Maurizio et al., 2007; Chang et al., 2008).

5. ConclusionsEnterprise systems and ERP systems seem to have significant effect on the auditingfunction, internal control procedures and auditors’ role. In this section we summarize

JEIM24,6

514

the main conclusions of this study related to ES and audit function and we point outadditional implications.

Next, we present the main conclusions of the study:. In ES environments there is strong demand for increased control procedures,

because in computerized contexts many errors may go unidentified when thereare no sufficient audit processes. Standardization and formalizability of auditingpolicies and procedures are necessary (Alles et al., 2006).

. In ES environments several risks occur and the most important are related to thetransparency of data, information integrity, transaction errors and fraud (Baeand Ashcroft, 2004; Best et al., 2009; Kuhn and Sutton, 2010).

. Continuous auditing and monitoring of business transactions seem to be thefuture of auditing function. Continuous auditing and its tools (EAM and MCL)help business detect and prevent errors and fraud more effectively and in anearly stage (Kuhn and Sutton, 2006; Alles et al., 2006; Alles et al., 2008).

. Auditors’ role changes along with the audit process and auditors are asked toenhance their skills and knowledge in order to be able to: complete successful ISenvironment controls and audit tests; and be of assistance for an organization toachieve compliance with standards and guidelines.

. Financial auditors need the assistance of IT auditors and they are asked tocooperate with them effectively and work with them together as one team(Vendrzyk and Bagranoff, 2003; Hunton et al., 2004).

. The use of technology and computers in business practice results in moreinformation technology auditing and internal control standards and guidelines toassist auditors in their roles and responsibilities (Yang and Guan, 2004). Thesestandards and guidelines improve the control function (internal and external)(Maurizio et al., 2007; Chang et al., 2008).

We should mention at this point, that several implications arise for the audit functiondue to enterprise systems implementation. Auditors need to enhance their skills andknowledge in order to be able to handle electronic audit evidence effectively.Furthermore, there is need of more internal controls for the enterprise system and thesecurity of the electronic data, as potential risks related to fraud increase in ESenvironments. Finally, the presence of IS auditors becomes necessary and financialauditors are asked to cooperate with them efficiently and thus enterprises must findways to overcome conflicts between these two groups.

6. LimitationsAlthough considerable attention was given to the method and design of the literaturereview some limitations exist. First, some relevant publications might have beenoverlooked. Much literature has been scanned by reading the title only. Although thetitle in most cases describes the content quite well this is not always so. In order to beable to conduct a comprehensive literature review the topical focus was kept relativelynarrow on auditing and ES - ERP systems. This might be a regarded limitation sincethis literature review will not satisfy the need of readers looking for a review onaccounting in general and Integrated Information Systems (IIS) as a whole- not onlyERPs. Furthermore, in the bibliography analysis we included and analyzed five


515

categories. Indeed, further categories emerged (such as continuous auditing and on lineauditing) but we decided not to analyze them. The reasons we decided not to includefurther categories are as follows: first, we feared that the study would become too longand second we chose to review five categories extensively, rather than adding furthercategories and analyzing them inadequately.

7. Directions for future researchIn the previous section research on enterprise systems and auditing has been reviewed.Many suggestions for future research can be identified on the basis of the literaturereview. This section will draw attention to a limited number of research opportunitiesthat seem to be the most promising areas of future research. Further research is neededconcerning the relation and interaction between auditing and ES and the impact of ESon the auditing procedures and on the auditors’ role.

From the literature review it is obvious that IS auditors and financial auditors differin perspectives and this leads to potential organizational conflicts. More research isneeded in order to understand these differences and determine how best to resolvethem, so that financial and IS auditors work together as one team to improve auditpractice.

Nevertheless, the audit expertise literature has shown that experience and trainingcombine to create expertise in auditors. Still, more dimensions of ES expertise, such asERP implementation knowledge, may be relevant to determining perceived auditor ESexpertise. Future research investigating auditor interactions with ES may reveal suchadditional sources of expertise.

As far as audit tests are concerned, it is obvious that substantive tests and controltests are needed both in order for the audit function to be efficient and effective. Moreresearch is needed to examine how to better synthesize the usage of audit toolssupporting substantive tests and the usage of tools supporting control tests. This willhelp in improving data transparency in an ES environment, preventing fraud andimproving quality of audit reports.

Future research should further examine the ways in which the implementation ofES affects internal auditors’ work and the potential audit risks, which may occur fromthat interaction. Furthermore, research is needed in order to identify which factorsshould be considered when an audit software solution is to be chosen in an ESenvironment. In addition, future research should further examine the skills thatinternal auditors must have and the training they must get so that they will be able toconduct effective and efficient audits in such an environment.

Next, we summarize the main directions for future research.Future research is needed in order to:. understand differences between IS and financial auditors and determine how

best to resolve them;. investigate auditor interactions with ES and reveal new sources of expertise;. examine how to better synthesize the usage of audit tools supporting substantive

tests and the usage of tools supporting control tests; and. examine the ways in which the implementation of ES affects internal auditors’

work and the potential audit risks which may occur from that interaction.

JEIM24,6

516

References

Ajzen, I. (1991), “The theory of planned behavior”, Organizational Behavior and Human DecisionProcesses, Vol. 50 No. 2, pp. 179-211.

Alles, M.G., Kogan, A. and Vasarhelyi, M.A. (2008), “Putting continuous auditing theory intopractice: lessons from two pilot implementations”, Journal of Information Systems, Vol. 22No. 2, pp. 195-214.

Alles, M.G., Brennan, G., Kogan, A. and Vasarhelyi, M.A. (2006), “Continuous monitoring ofbusiness process controls: a pilot implementation of a continuous auditing system atSiemens”, International Journal of Accounting Information Systems, Vol. 7, pp. 137-61.

American Institute of Certified Public Accountants (AICPA) (2001), Statement on AuditingStandards No. 94: The Effect of Information Technology on the Auditor’s Consideration ofInternal Control in a Financial Statement Audit, AICPA, New York, NY.

Bae, B. and Ashcroft, P. (2004), “Implementation of ERP systems: accounting and auditingimplications”, Information Systems Control Journal, Vol. 5, pp. 43-8.

Best, P. (2000), “Auditing SAP R/3 - control risk assessment”, Australian Accounting Review,Vol. 10 No. 3, pp. 31-42.

Best, P., Rikhardsson, P. and Toleman, M. (2009), “Continuous fraud detection in enterprisesystems through audit trail analysis”, Journal of Digital Forensics, Security and Law, Vol. 4No. 1, pp. 39-60.

Brazel, J.F. (2005), “A measure of perceived auditor ERP systems expertise. Development,assessment and uses”, Managerial Auditing Journal, Vol. 20 No. 6, pp. 619-31.

Brazel, J.F. and Agoglia, C.P. (2007), “An examination of auditor planning judgements in acomplex accounting information system environment”, Contemporary AccountingResearch, Vol. 24 No. 4, pp. 1059-83.

Brown, W. and Nasuti, F. (2005), “What ERP systems can tell us about Sarbanes-Oxley”,Information Management and Computer Security, Vol. 13 No. 4, pp. 311-27.

Burnaby, P. and Hass, S. (2009), “A summary of the global Common Body of Knowledge 2006(CBOK) study in internal auditing”, Managerial Auditing Journal, Vol. 24 No. 9, pp. 813-34.

Cerullo, M.V. and Cerullo, M.J. (2003), “Impact of SAS 94 on computer audit techniques”,Information Systems Control Journal, Vol. 1, available at: www.isaca.org

Chang, S.I., Wu, C.C. and Chang, I.C. (2008), “The development of a computer auditing systemsufficient for Sarbanes-Oxley Section 404 – a study on the purchasing and expenditurecycle of the ERP system”, Information Systems Management, Vol. 25, pp. 211-29.

Chen, J.R. (2009), “An exploratory study of alignment ERP implementation and organizationaldevelopment activities in a newly established firm”, Journal of Enterprise InformationManagement, Vol. 22 No. 3, pp. 298-316.

Coppers, C. and Lybrand, L.L.P. (2002), Security, Audit and Control Features SAP R/3: A Technicaland Risk Management Reference Guide, IT Governance Institute, Rolling Meadows, IL.

Curtis, M.B., Jenkins, J.G., Bedard, J.C. and Donald, R.D. (2009), “Auditors’ training andproficiency in information systems: a research synthesis”, Journal of Information Systems,Vol. 23 No. 1, pp. 79-96.

Debreceny, R.S., Gray, G.L., Ng, J.J.J., Lee, K.S.P. and Yau, W.F. (2005), “Embedded audit modulesin enterprise resource planning systems: implementation and functionality”, Journal ofInformation Systems, Vol. 19 No. 2, pp. 7-27.

Eilifsen, A., Knechel, W.R. and Wallage, P. (2001), “Application of the business risk audit model:a field study”, Accounting Horizons, Vol. 15, pp. 193-207.


517

Gallegos, F. (2005), “Audit concerns: looking at ERP application integration and implementationissues”, Informations Systems Audit and Control Association, Vol. 4, available at: www.isaca.org

Goldberg, S. and Godwin, J.H. (2003), “Operational reviews and auditing ERP”, The Journal ofCorporate Accounting and Finance, Vol. 14 No. 4, pp. 63-5.

Grabski, S.V. and Leech, S.A. (2007), “Complementary controls and ERP implementationsuccess”, International Journal of Accounting Information Systems, Vol. 8, pp. 17-39.

Grabski, S.V., Leech, S.A. and Lu, B. (2001), “Risks and controls in the implementation of ERPsystems”, The International Journal of Digital Accounting Research, Vol. 1 No. 1, pp. 47-68.

Huang, S.M., Hsieh, P.G., Tsao, H.H. and Hsu, P.Y. (2008), “A structural study of internal controlfor ERP system environments: a perspective from Sarbanes-Oxley Act”, InternationalJournal of Management and Enterprise Development, Vol. 5 No. 1, pp. 102-21.

Huang, S.M., Yen, D.C., Hung, Y.C., Zhou, Y.J. and Hua, J.S. (2009), “A business process gapdetecting mechanism between information system process flow and internal control flow”,Decision Support Systems, Vol. 47, pp. 436-54.

Hunton, J.E., Mauldin, E.G. and Wheeler, P.R. (2008), “Potential functional and dysfunctionalaffects of continuous monitoring”, The Accounting Review, Vol. 83 No. 6, pp. 1551-69.

Hunton, J.E., Wright, A.M. and Wright, S. (2004), “Are financial auditors overconfident in theirability to assess risks associated with enterprise resource planning systems?”, Journal ofInformation Systems, Vol. 18 No. 2, pp. 7-28.

Kuhn, J.R. and Sutton, S.G. (2006), “Learning from WorldCom: implications for fraud detectionthrough continuous assurance”, Journal of Emerging Technologies in Accounting, Vol. 3,pp. 61-80.

Kuhn, J.R. and Sutton, S.G. (2010), “Continuous auditing in ERP system environments: thecurrent state and future directions”, Journal of Information Systems, Vol. 24 No. 1,pp. 91-112.

Kumar, K. and Hillegersberg, J.V. (2000), “Enterprise resource planning experiences andevolution”, Commun ACM, Vol. 43 No. 3, pp. 22-6.

Lee, G.H. (2008), “Rule-based and case-based reasoning approach for internal audit of bank”,Knowledge-Based Systems, Vol. 21, pp. 140-7.

Madani, H.H. (2009), “The role of internal auditors in ERP-based organizations”, Journal ofAccounting and Organizational Change, Vol. 5 No. 4, pp. 514-26.

Maurizio, A., Girolami, L. and Jones, P. (2007), “EAI and SOA: factors and methods influencingthe integration of multiple ERP systems (in an SAP environment) to comply with theSarbanes-Oxley Act”, Journal of Enterprise Information Management, Vol. 20 No. 1,pp. 14-31.

Messier, W.F., Eilifsen, A. and Austen, L.A. (2004), “Auditor detected misstatements and theeffect of information technology”, International Journal of Auditing, Vol. 8, pp. 223-35.

Munter, P. (2002), “Will technology defeat your auditor?”, The Journal of Corporate Accountingand Finance, Vol. 13 No. 4, pp. 17-22.

Public Oversight Board (POB) (2000), Panel on Audit Effectiveness: Report andRecommendations, AICPA, Stamford, CT.

Rezaee, Z. and Reinstein, A. (1998), “The impact of emerging information technology onauditing”, Managerial Auditing Journal, Vol. 13 No. 8, pp. 465-71.

Spathis, C. (2006), “Enterprise systems implementation and accounting benefits”, Journal ofEnterprise Information Management, Vol. 19 No. 1, pp. 67-82.

JEIM24,6

518

Spathis, C. and Constantinides, S. (2004), “Enterprise resource planning systems’ impact onaccounting processes”, Business Process Management Journal, Vol. 10 No. 3, pp. 234-47.

Sutton, S.G. (2000), “The changing face of accounting in an information technology dominatedworld”, International Journal of Accounting Information Systems, Vol. 1, pp. 1-8.

Sutton, S.G. (2006), “Enterprise systems and the re-shaping of accounting systems: a call ofresearch”, International Journal of Accounting Information Systems, Vol. 7, pp. 1-6.

Vasarhelyi, M., Alles, M. and Kogan, A. (2004), “Principles of analytic monitoring for continuousassurance”, Journal of Emerging Technologies in Accounting, Vol. 1, pp. 1-21.

Vendrzyk, V.P. and Bagranoff, N.A. (2003), “The evolving role of IS audit: a field studycomparing the perceptions of IS and financial auditors”, Advances in Accounting, Vol. 20,pp. 141-63.

Winograd, B.N., Gerson, J.S. and Berlin, B.L. (2000), “Audit practices of PricewaterhouseCoopers”,Auditing: A Journal of Practice and Theory, Vol. 19, pp. 175-82.

Wright, S. and Wright, A.M. (2002), “Information system assurance for enterprise resourceplanning systems: unique risk considerations”, Journal of Information Systems, Vol. 16,pp. 99-113.

Yang, D.C. and Guan, L. (2004), “The evolution of IT auditing and internal control standards infinancial statement audits. The case of the United States”, Managerial Auditing Journal,Vol. 19 No. 4, pp. 544-55.

Yen, C.C., Huang, S.M., Li, C.L. and Hsiah, Y.C. (2006), “Application, influence and impact ofSarbanes-Oxley Act”, Computer Auditing Journal, Vol. 15, pp. 1-11.

Corresponding authorCharalambos Spathis can be contacted at: [email protected]


519

To purchase reprints of this article please e-mail: [email protected] visit our web site for further details: www.emeraldinsight.com/reprints

Auditing In

Documents

Transcript of Auditing In